tka: make rotation signatures use nested keyID

Duplicating this at each layer doesnt make any sense, and is another invariant where things could go wrong. Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-10-14 12:34:04 -07:00
parent 86c5bddce2
commit e8a11f6181
3 changed files with 38 additions and 5 deletions
@@ -686,7 +686,12 @@ func (a *Authority) NodeKeyAuthorized(nodeKey key.NodePublic, nodeKeySignature t
 		return errors.New("credential signatures cannot authorize nodes on their own")
 	}

-	key, err := a.state.GetKey(decoded.KeyID)
+	kID, err := decoded.authorizingKeyID()
+	if err != nil {
+		return err
+	}
+
+	key, err := a.state.GetKey(kID)
 	if err != nil {
 		return fmt.Errorf("key: %v", err)
 	}